Redefine WIN32_FIND_DATA as a BaseStruct

Author: elicn

qiling/os/windows/dlls/kernel32/fileapi.py

@@ -15,7 +15,7 @@
 from qiling.os.windows.const import *
 from qiling.os.windows.fncc import *
 from qiling.os.windows.handle import Handle
-from qiling.os.windows.structs import Win32FindData
+from qiling.os.windows.structs import FILETIME, make_win32_find_data
 
 # DWORD GetFileType(
 #   HANDLE hFile
@@ -46,50 +46,67 @@ def hook_FindFirstFileA(ql: Qiling, address: int, params):
     filename = params['lpFileName']
     pointer = params['lpFindFileData']
 
-    if filename == 0:
+    if not filename:
         return INVALID_HANDLE_VALUE
-    elif len(filename) >= MAX_PATH:
+
+    if len(filename) >= MAX_PATH:
         return ERROR_INVALID_PARAMETER
 
-    target_dir = os.path.join(ql.rootfs, filename.replace("\\", os.sep))
-    ql.log.info('TARGET_DIR = %s' % target_dir)
-    real_path = ql.os.path.transform_to_real_path(filename)
+    host_path = ql.os.path.virtual_to_host_path(filename)
 
     # Verify the directory is in ql.rootfs to ensure no path traversal has taken place
-    if not os.path.exists(real_path):
+    if not ql.os.path.is_safe_host_path(host_path):
         ql.os.last_error = ERROR_FILE_NOT_FOUND
+
         return INVALID_HANDLE_VALUE
 
     # Check if path exists
     filesize = 0
+
     try:
-        f = ql.os.fs_mapper.open(real_path, "r")
-        filesize = os.path.getsize(real_path)
+        f = ql.os.fs_mapper.open(host_path, "r")
+
+        filesize = os.path.getsize(host_path)
     except FileNotFoundError:
         ql.os.last_error = ERROR_FILE_NOT_FOUND
-        return INVALID_HANDLE_VALUE
 
-    # Get size of the file
-    file_size_low = filesize & 0xffffff
-    file_size_high = filesize >> 32
+        return INVALID_HANDLE_VALUE
 
     # Create a handle for the path
     new_handle = Handle(obj=f)
     ql.os.handle_manager.append(new_handle)
 
-    # Spoof filetime values
-    filetime = ql.pack64(datetime.now().microsecond)
-
-    find_data = Win32FindData(
-                ql,
-                FILE_ATTRIBUTE_NORMAL,
-                filetime, filetime, filetime,
-                file_size_high, file_size_low,
-                0, 0,
-                filename,
-                0, 0, 0, 0,)
-
-    find_data.write(pointer)
+    # calculate file time
+    epoch = datetime(1601, 1, 1)
+    elapsed = datetime.now() - epoch
+
+    # number of 100-nanosecond intervals since Jan 1, 1601 utc
+    # where: (10 ** 9) / 100 -> (10 ** 7)
+    hnano = int(elapsed.total_seconds() * (10 ** 7))
+
+    mask = (1 << 32) - 1
+
+    ftime = FILETIME(
+        (hnano >>  0) & mask,
+        (hnano >> 32) & mask
+    )
+
+    fdata_struct = make_win32_find_data(ql.arch.bits, wide=False)
+
+    with fdata_struct.ref(ql.mem, pointer) as fdata_obj:
+        fdata_obj.dwFileAttributes   = FILE_ATTRIBUTE_NORMAL
+        fdata_obj.ftCreationTime     = ftime
+        fdata_obj.ftLastAccessTime   = ftime
+        fdata_obj.ftLastWriteTime    = ftime
+        fdata_obj.nFileSizeHigh      = (filesize >> 32) & mask
+        fdata_obj.nFileSizeLow       = (filesize >>  0) & mask
+        fdata_obj.dwReserved0        = 0
+        fdata_obj.dwReserved1        = 0
+        fdata_obj.cFileName          = filename
+        fdata_obj.cAlternateFileName = 0
+        fdata_obj.dwFileType         = 0
+        fdata_obj.dwCreatorType      = 0
+        fdata_obj.wFinderFlags       = 0
 
     return new_handle.id
 

qiling/os/windows/structs.py

@@ -1634,85 +1634,27 @@ class OBJECT_ALL_TYPES_INFORMATION(Struct):
     return OBJECT_ALL_TYPES_INFORMATION
 
 
-# typedef struct _WIN32_FIND_DATAA {
-#   DWORD    dwFileAttributes;
-#   FILETIME ftCreationTime;
-#   FILETIME ftLastAccessTime;
-#   FILETIME ftLastWriteTime;
-#   DWORD    nFileSizeHigh;
-#   DWORD    nFileSizeLow;
-#   DWORD    dwReserved0;
-#   DWORD    dwReserved1;
-#   CHAR     cFileName[MAX_PATH];
-#   CHAR     cAlternateFileName[14];
-#   DWORD    dwFileType;
-#   DWORD    dwCreatorType;
-#   WORD     wFinderFlags;
-# } WIN32_FIND_DATAA, *PWIN32_FIND_DATAA, *LPWIN32_FIND_DATAA;
-class Win32FindData(WindowsStruct):
-    def write(self, addr):
-        super().generic_write(addr, 
-            [
-                self.file_attributes, self.creation_time,
-                self.last_acces_time, self.last_write_time, 
-                self.file_size_high, self.file_size_low, 
-                self.reserved_0, self.reserved_1, self.file_name,
-                self.alternate_file_name, self.file_type, 
-                self.creator_type, self.finder_flags
-            ])
-    
-    def read(self, addr):
-        super().generic_read(addr, 
-            [
-                self.file_attributes, self.creation_time,
-                self.last_acces_time, self.last_write_time, 
-                self.file_size_high, self.file_size_low, 
-                self.reserved_0, self.reserved_1, self.file_name,
-                self.alternate_file_name, self.file_type, 
-                self.creator_type, self.finder_flags
-            ])
-
-    def __init__(self, 
-                ql, 
-                file_attributes=None, 
-                creation_time=None, 
-                last_acces_time=None,
-                last_write_time=None, 
-                file_size_high=None,
-                file_size_low=None,
-                reserved_0=None, 
-                reserved_1=None, 
-                file_name=None,
-                alternate_filename=None,
-                file_type=None, 
-                creator_type=None, 
-                finder_flags=None):
-        super().__init__(ql)
-        
-        # Size of FileTime == 2*(DWORD)
-        self.size = (
-            self.DWORD_SIZE               # dwFileAttributes
-            + (3 * (2 * self.DWORD_SIZE)) # ftCreationTime, ftLastAccessTime, ftLastWriteTime
-            + self.DWORD_SIZE             # nFileSizeHigh
-            + self.DWORD_SIZE             # nFileSizeLow
-            + self.DWORD_SIZE             # dwReservered0
-            + self.DWORD_SIZE             # dwReservered1
-            + (self.BYTE_SIZE * 260)      # cFileName[MAX_PATH]
-            + (self.BYTE_SIZE * 14)       # cAlternateFileName[14]
-            + self.DWORD_SIZE             # dwFileType
-            + self.DWORD_SIZE             # dwCreatorType
-            + self.WORD_SIZE)             # wFinderFlags
-        
-        self.file_attributes = file_attributes
-        self.creation_time = creation_time
-        self.last_acces_time = last_acces_time
-        self.last_write_time = last_write_time
-        self.file_size_high = file_size_high
-        self.file_size_low = file_size_low
-        self.reserved_0 = reserved_0
-        self.reserved_1 = reserved_1
-        self.file_name = file_name
-        self.alternate_file_name = alternate_filename
-        self.file_type = file_type
-        self.creator_type = creator_type
-        self.finder_flags = finder_flags
+# https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-win32_find_dataw
+def make_win32_find_data(archbits: int, *, wide: bool):
+    Struct = struct.get_aligned_struct(archbits)
+
+    char_type = (ctypes.c_wchar if wide else ctypes.c_char)
+
+    class WIN32_FIND_DATA(Struct):
+        _fields_ = (
+            ('dwFileAttributes',   ctypes.c_uint32),
+            ('ftCreationTime',     FILETIME),
+            ('ftLastAccessTime',   FILETIME),
+            ('ftLastWriteTime',    FILETIME),
+            ('nFileSizeHigh',      ctypes.c_uint32),
+            ('nFileSizeLow',       ctypes.c_uint32),
+            ('dwReserved0',        ctypes.c_uint32),
+            ('dwReserved1',        ctypes.c_uint32),
+            ('cFileName',          char_type * MAX_PATH),
+            ('cAlternateFileName', char_type * 14),
+            ('dwFileType',         ctypes.c_uint32),
+            ('dwCreatorType',      ctypes.c_uint32),
+            ('wFinderFlags',       ctypes.c_uint16)
+        )
+
+    return WIN32_FIND_DATA